This cold war with you
Many in the security industry, myself included, are guilty of falling into the trap of saying that security is a discipline in which the big “wins” come when “nothing happens.” It’s an easy statement to make, especially when working with business leaders who see only the end result (i.e., no breach, no media headline) and make this claim. Where did this idea come from? It’s a bit of a “chicken and egg” conundrum, and no one I’ve spoken to knows exactly when this saying started to become commonplace, but most admit to using it or hearing it regularly. Despite how frequently the phrase is thrown around, nothing could be farther from the truth.
“Security is winning when nothing happens” results because of a misunderstanding of security and/or a sole focus on outcomes. Of course security “wins” in the absence of a breach, data loss or theft, or other incident, but that certainly doesn’t mean “nothing” has happened. Without a doubt it doesn’t mean that, and security practitioners, above all else, should understand the work that goes into preventing a security incident. However, when pressed with questions about “what happened” by business executives, many security practitioners are left quoting blocked spam counts, even though we all know that’s not effective. Still today, the metrics presented by a lot of security teams earn an executive’s giant yawn or sudden need to check her/his mobile phone. Business units don’t care how much spam was blocked, only that the company didn’t fall victim to a breach.
The sun goes down and it leaves me sad and blue
But here’s the rub: Security has to develop better methods of communicating to executives the effort required to stop breaches and/or data loss. Yes, cybersecurity is now acknowledged and even the least savvy business executive is minimally aware that information security is a thing requiring attention and budget. A person can’t pick up a Wall Street Journal or Forbes without seeing stories about cybercrime, so even if the business professional doesn’t understand security (and should they be required to, really?), they comprehend its seriousness.
To this point, Steve Orrin, Chief Technologist for Intel Federal says, “In the ever-changing and evolving threat landscape, security isn’t a zero sum game.” Although the result of a great security program is the absence of an incident (though even great security programs suffer incidents), it’s important for executive leadership to understand that security does not equal magic. Security isn’t a plug-and-play multi-million dollar tool and, voilá! The company is safe. Yet some executives actually believe that; the expensive piece of technology sure did impact the organization’s ability to expand into a new region or hire more sales people, those who generate revenue rather than spend it. And since an incident hasn’t been detected—the company must be secure, right?
Though you won’t speak and I won’t speak, it’s true
A danger zone exists when budget holders don’t see the human effort put into a security program. Obviously executives like to be kept out of the headlines and (I’m guessing) don’t like to spend money on data breach cleanup or investigations, but is that enough? Maybe not. At some point the fear factor of being caught in a breach (even publicly) is going to wear off; executives can read stock prices and company valuations and clearly see that the Targets and Macys and TJXs of the world are sailing along just fine financially.
Orrin agrees: “Security teams and their executive leadership (CISOs, CSOs, Director of Security, etc.) have to help the C-suite and board understand the risks [of not having a supported security program] and the impact of their efforts.” Unfortunately, plenty of MISTI conference delegates share stories about how they’re constantly faced with the question, “How do we know security’s working?” These same delegates are put in between a rock and hard place, because security practitioners know that presenting a lot of technical details, indeed the ones that show a program is working, will not further the security program’s cause in the eyes of the CEO. While security practitioners are fascinated by threat reports and log data, nothing could be more sleep-inducing to non-security professionals.
Oh, let’s do right or let’s just say we’re through
“Frameworks like NIST’s Cyber Security Framework (CSF) help map security controls and risks to the lines of business and overall business risks in terms and models that can be consumed by corporate executives,” says Orrin. Tools like the CSF are beneficial for high-level presentations and obtaining buy-in on security projects, but they still don’t show “what’s happening” on a daily basis. This is not to say security teams need to roll out activity lists; doing so won’t accomplish much either. What they can do, suggests Orrin, is to demonstrate how “security operations and infosec teams are constantly improving and monitoring the controls and capabilities they have deployed.” In addition, he advises, teams should build analytics around “continuous monitoring and threat intelligence to observe the enterprise and report when violations have been intercepted and stopped, as well as identify anomalous activity that may be an indicator of compromise which requires a response and mitigation (as well as improvements to block it moving forward).”
The most important suggestion provided by Orrin on this topic: Communication is king: “Security dashboards, reporting, GRC, and cyber monitoring help illustrate both the threats that have been prevented and the incidents currently being mitigated.” He reiterates that it’s the responsibility of security leadership to help business executives understand processes. Too often security teams take a mindset that security is too hard for others to understand, or that everyone should understand security already because it impacts daily life. The industry needs to change that mindset. How would you feel if your doctor said to you, “You have a problem, but I am not going to explain how it works to you because it doesn’t matter”? That happened to me once, and you know what? It made me angry. I switched doctors to one who wasn’t such an [insert expletive here].
I just can’t stand another cold war with you
Corporate teams aren’t going to obliterate security teams if communication is problematic, but they will start reducing support and funding if security continues its inability to communicate how it impacts the organization beyond, “We prevented a breach.” The “nothing happened” well could easily dry up and, as Orrin points out, “Data breaches and APTs typically have long spans of exposure before the issue is identified, so ‘nothing happening’ equals ‘you don’t know it yet’.”